Cisco Router Configuration Handbook docx

User EXEC mode: Users can connect to a router via the console port, auxiliaryport, Telnet session, SSH session, or the Security Device Manager SDM.. Privileged EXEC mode: exec enable pas

Cisco Router Configuration Handbook, Second Edition

Dave Hucaby, Steve McQuerry, Andrew Whitaker

Copyright © 2010 Cisco Systems, Inc

Published by:

Cisco Press

800 East 96th Street

Indianapolis, IN 46240 USA

All rights reserved No part of this book may be reproduced or transmitted in any form or by

any means, electronic or mechanical, including photocopying, recording, or by any

informa-tion storage and retrieval system, without written permission from the publisher, except for

the inclusion of brief quotations in a review

Printed in the United States of America

First Printing June 2010

Library of Congress Cataloging-in-Publication data is on file

ISBN-13: 978-1-58714-116-4

ISBN-10: 1-58714-116-7

Warning and Disclaimer

This book is designed to provide information about configuring Cisco routers Every effort

has been made to make this book as complete and as accurate as possible, but no warranty or

fitness is implied

The information is provided on an “as is” basis The authors, Cisco Press, and Cisco Systems,

Inc shall have neither liability nor responsibility to any person or entity with respect to any

loss or damages arising from the information contained in this book or from the use of the

discs or programs that may accompany it

The opinions expressed in this book belong to the author and are not necessarily those of

Cisco Systems, Inc

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have been

appropriately capitalized Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of

this information Use of a term in this book should not be regarded as affecting the validity of

any trademark or service mark

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk

pur-chases or special sales, which may include electronic versions and/or custom covers and

con-tent particular to your business, training goals, marketing focus, and branding interests For

more information, please contact: U.S Corporate and Government Sales 1-800-382-3419

corpsales@pearsontechgroup.com

For sales outside the United States, please contact: International Sales

international@pearsoned.com

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value

Each book is crafted with care and precision, undergoing rigorous development that involves

the unique expertise of members from the professional technical community

Readers’ feedback is a natural continuation of this process If you have any comments

regard-ing how we could improve the quality of this book, or otherwise alter it to better suit your

needs, you can contact us through e-mail at feedback@ciscopress.com Please make sure to

include the book title and ISBN in your message

We greatly appreciate your assistance

Cisco has more than 200 offices worldwide Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the

Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the

Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step,

Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers,

Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and

the WebEx logo are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0812R)

Americas Headquarters Cisco Systems, Inc.

Publisher: Paul Boger Manager, Global Certification: Erik Ullanderson

Associate Publisher: Dave Dusthimer Business Operation Manager, Cisco Press: Anand Sundaram

Executive Editor: Brett Bartow Senior Development Editor: Christopher Cleveland

Managing Editor: Sandra Schroeder Project Editor: Seth Kerney

Copy Editor: Apostrophe Editing Services Technical Editors: Steve Kalman, Joe Harris

Editorial Assistant: Vanessa Evans Indexer: WordWise Publishing Services

Book Designer: Louisa Adair Proofreaders: Sheri Cain and Water Crest Publishing

Composition: Mark Shirar

Dedications

Dave Hucaby: This book is dedicated to my wife, Marci, and my daughters, Lauren and Kara.

I am blessed to have three wonderful girls in the house; their love, encouragement, and

sup-port carry me along God is good!

Steve McQuerry: I dedicate this work to my beautiful wife and love of my life, Becky Also,

to my wonderful children, Katie, Logan, and Cameron You are all my inspiration Your

patience, love, and support give me the courage and strength needed to spend the required

time and energy on a project like this Even through the long hours, I want you to know I love

you all very much

About the Authors

David Hucaby, CCIE #4594, is a lead network engineer for the University of Kentucky,

where he designs, implements, and maintains campus networks using Cisco products Prior to

his current position, he was a senior network consultant, providing design and implementation

consulting, focusing on Cisco-based VPN and IP telephony solutions Hucaby has bachelor of

science and master of science degrees in electrical engineering from the University of

Kentucky He is also the author of CCNP Switching Exam Certification Guide by Cisco

Press

Stephen McQuerry, CCIE #6108, is an instructor and consultant with more than ten years of

networking industry experience He is a certified Cisco Systems instructor (CCSI) and a

course director/developer, teaching routing and switching concepts for Global Knowledge

McQuerry regularly teaches Cisco Enterprise courses Additionally, he has developed and

taught custom Cisco switching courses McQuerry holds a bachelor of science degree in

engi-neering physics from Eastern Kentucky University He is also the author of Interconnecting

Cisco Network Devices by Cisco Press.

Andrew Whitaker has been teaching and developing Cisco courses for more than seven years

and holds the following certifications: CCNP, CCVP, CCSP, CCDP, CCNA:Security, MCT,

CEI, CISSP, LPT, CEH, ECSA, MCTS, MCSE, CNE, A+, Network+, Security+, Convergence+,

CTP, CICP, CHFI, EMCPA He is the author of several books, including Penetration Testing

and Network Defense by Cisco Press.

About the Technical Reviewers

Steven Kalman is the principal officer at Esquire Micro Consultants, which offers lecturing,

writing, and consulting services He has more than 30 years of experience in data processing,

with strengths in network design and implementation Kalman is an instructor and author for

Learning Tree International He has written and reviewed many networking-related titles He

holds CCNA, CCDA, ECNE, CEN, and CNI certifications

Joe Harris, CCIE No 6200 (R/S, Security & SP), is a Triple CCIE working for Cisco as a systems

engineer within the Wireline and Emerging Providers organization, where he specializes in

security and MPLS-related technologies With more than 16 years of extensive experience

focusing on advance technologies within the IT arena, Joe has been primarily focused on

supporting various enterprise-sized networks revolving around all aspects of Cisco technology

He has also provided high-end consulting for both large and small corporations, as well as

local government and federal agencies Joe holds a bachelor of science degree from Louisiana

Tech University and resides with his wife and two children in Frisco, Texas

Acknowledgments

Dave Hucaby: I am very grateful for another opportunity to work on a Cisco Press project.

Getting to dabble in technical writing has been great fun, a highlight in my career, and a lot of

work, too! Naturally, these good folks at Cisco Press have gone the extra mile to make writing

enjoyable and achievable: Brett Bartow, who kindly accepted my idea for a book like this and

kindly prodded us along to meet deadlines we didn’t think we could, and Chris Cleveland,

who is a superb development editor As a matter of fact, every Cisco Press person I have met

along the way has been so nice, encouraging, and excited about their work!

Thanks to our technical reviewers: Steve Kalman and Joe Harris Working on a book of this

nature has been challenging The sheer volume and scope of the Cisco IOS Software

com-mands and features are a little overwhelming I truly appreciate reviewers who can help us see

a bigger picture of better organization and accuracy while we’re writing in the depths of

con-figuration commands This book is also a testimony to the great number of things you can do

with a router, thanks to the Cisco IOS Software I don’t know how many hundreds of

mands we have covered in this book, but we had to leave out many more lesser-used

com-mands just to keep a handle on the book’s size and scope I’m amazed at the robustness of the

software and its dynamic nature

I would like to express my thanks to my friend and coauthor Steve McQuerry We’ve followed

each other around for many years, and it has been great to work on this project with him

Hopefully, we Kentucky boys can work on more things like this

Lastly, I would like to acknowledge the person who stole my laptop computer halfway

through the first edition of this book project Whoever you are, you left me a victim of my

own lack of current backups I made up a silly joke many years ago: “A backup is worth a

mil-lion bytes, especially if you have to type them all back in.” Indeed

Steve McQuerry: About 20 years ago, the late Rodger Yockey gave me an opportunity as a

field engineer in the computer industry Since then, several people have been there at key

moments to help my career go in certain directions I owe a great debt to these people, as

they have helped me reach the level I am at today It is not often that one has the opportunity

to thank those who have been instrumental in molding his career In addition to Rodger, I

would like to take a moment to also thank Ted Banner for his guidance and mentoring I would

also like to thank Chuck Terrien for giving me the opportunity to work as an instructor in the

Cisco product line I would like to thank Brett Bartow for the opportunity to begin sharing

my experiences with the network community by writing for Cisco Press Last but not least, I

have to thank my friend and coauthor, Dave Hucaby This book was his concept, and I thank

him for the opportunity work with him once again I hope we will always find a way to

con-tinue working together in the future

Since I began working on book and course projects a couple of years ago, I have a newfound

respect for what it takes to edit, coordinate, publish, and basically keep authors on track

Behind every Cisco Press book is an incredible staff, and I would be remiss if I did not

acknowledge their work Chris Cleveland, again it has been great working with you I hope

that we can work together again in the future

Without the following individuals behind the book, it would be no more than a collection of

jumbled notes and napkin sketches of networking configurations:

The sharp eyes of all our technical editors on the first and this edition: Joe Harris, Steve

Kalman, Alexander Marhold, and Kevin Turek

All my students and fellow instructors at Global Knowledge Your challenges and questions

provide me with the drive to have a better understanding

My wife and children for their never-ending patience and understanding during this and all of

my projects

Most important, God, for giving me the skills, talents, and opportunity to work in such a

chal-lenging and exciting profession

Andrew Whitaker: I would like to express my thanks to both Dave Hucaby and Steve

McQuerry for this opportunity Brett Bartow and Chris Cleveland, it is great to work with

both of you again Finally, to Steve Kalman and Joe Harris, I appreciate how diligently you

worked to ensure a quality book

Contents at a Glance

Introduction xxi

Part I: Configuration Fundamentals

Chapter 1 Configuration Basics 1

Chapter 2 Interface Configuration 73

Chapter 3 Dial Solutions 121

Part II: Network Protocols

Chapter 4 IPv4 Addressing and Services 153

Chapter 5 IPv6 Addressing and Services 195

Chapter 6 IP Routing Protocols 227

Chapter 7 IP Multicast Routing 275

Chapter 8 IP Route Processing 293

Part III: Packet Processing

Chapter 9 Quality of Service 311

Chapter 10 Multiprotocol Label Switching 359

Part IV: Voice & Telephony

Chapter 11 Voice and Telephony 375

Part V: Security

Chapter 12 Router Security 423

Chapter 13 Virtual Private Networks 475

Chapter 14 Access Lists and Regular Expressions 519

Appendixes

Appendix A Cisco IOS Software Release and Filename Conventions 543

Appendix B Cabling Quick Reference 551

Appendix C SNMP MIB Structure 557

Appendix D Password Recovery 561

Appendix E Configuration Register Settings 569

Appendix F Well-Known IP Protocol Numbers 577

Appendix G Well-Known IP Port Numbers 587

Appendix H ICMP Type and Code Numbers 601

Appendix I Well-Known IP Multicast Addresses 605

Appendix J Tool Command Language (TCL) Reference 619

Appendix K Ethernet Type Codes 623

Index 631

Contents

Introduction xxi

Part I: Configuration Fundamentals

Chapter 1 Configuration Basics 1

1-1: User Interfaces 1

Configuration 2Navigating File Systems 191-2: File Management 19

Deleting Files from Flash 22Moving System Files 23Configuration Rollback 25Related File Management Commands 26Alias Commands 27

1-3: Cisco Discovery Protocol (CDP) 28

Configuration 28Example 291-4: System Time 30

Configuration 30Example 331-5: Logging 34

Configuration 34Verifying Logging 37Example 37

1-6: System Monitoring 38

Configuration 39Example 471-7: Service Assurance Agent (SAA) 47

Configuration 48Example 561-8: Buffer Management 56

Configuration 57Example 611-9: Some Troubleshooting Tools 61

IP Connectivity Tools: Extended ping 62

IP Connectivity Tools: ping 62

IP Connectivity Tools: traceroute 63Debugging Output from the Router 65

Poor Man’s Sniffer 67Troubleshooting Router Crashes 69Monitoring Router Activity 70Getting Assistance from Cisco 71Information for the Cisco Technical Assistance Center (TAC) 71

Chapter 2 Interface Configuration 73

2-1: Ethernet Interfaces 73Configuration 74Example 752-2: FDDI Interfaces 76Configuration 76Example 762-3: Loopback and Null Interfaces 77Configuration 77

Example 772-4: VLAN Interfaces 78Configuration 78Example 792-5: Tunnel Interfaces 79Configuration 80Example 812-6: Synchronous Serial Interfaces 82Configuration 82

Configuring Channelized T1/E1 Serial Interfaces 84Configuring Synchronous Serial Interfaces 85Example 91

2-7: Packet-Over-SONET Interfaces 91Configuration 92

Configuring APS on POS Interfaces 93Example 94

2-8: Frame Relay Interfaces 95Configuration 96

Example 1042-9: Frame Relay Switching 105Configuration 105

Example 1092-10: ATM Interfaces 110Configuration 111Example 117

Further Reading 118

Ethernet 118Fast Ethernet 118Gigabit Ethernet 118Frame Relay 119ATM 119

Chapter 3 Dial Solutions 121

3-1: Modems 122

Configuration 1223-2: ISDN 128

PRI Configuration 129PRI Example 131BRI Configuration 131BRI Example 1333-3: Dial-on-Demand Routing (DDR) 133

Configuration 134Example 1393-4: Dial Backup 141

Dial Backup Configuration 141Dial Backup Example 142Dialer Watch Configuration 143Dialer Watch Example 1433-5: Routing Over Dialup Networks 144

Snapshot Routing Configuration 145Snapshot Routing Example 146ODR Configuration 1463-6: Point-to-Point Protocol (PPP) 148

Configuration 148Example 152Further Reading 152

Part II: Network Protocols

Chapter 4 IPv4 Addressing and Services 153

4-1: IP Addressing and Resolution 154

Configuration 154Example 1574-2: IP Broadcast Handling 158

Configuration 158Example 160

4-3: Hot Standby Router Protocol (HSRP) 160Configuration 161

Example 1644-4: Virtual Router Redundancy Protocol 165Configuration 166

Example 1664-5: Dynamic Host Configuration Protocol (DHCP) 167Configuration 167

Example 1714-6: Mobile IP 172Configuration 173Example 1764-7: Network Address Translation (NAT) 178Configuration 179

Examples 1834-8: Server Load Balancing (SLB) 185Configuration 186

Example 190

Chapter 5 IPv6 Addressing and Services 195

5-1: IPv6 Addressing 196Configuration 198Example 1985-2: Dynamic Host Configuration Protocol (DHCP) Version 6 199Example 201

5-3: Gateway Load Balancing Protocol Version 6 (GLBPv6) 202Configuration 203

Example 2065-4: Hot Standby Router Protocol for IPv6 208Configuration 208

Example 2105-5: Mobile IPv6 211Configuration 212Example 2145-6: Network Address Translation-Protocol Translation 215Configuration 216

Example 220

5-7: Tunneling 221

Configuration 221Example 223

Chapter 6 IP Routing Protocols 227

6-1: Routing Information Protocol (RIP) 227

Configuration 228RIP-2-Specific Commands 230Example 232

6-2: Routing Information Protocol (RIP) for IPv6 233

Example 233Configuration 2336-3: Enhanced Interior Gateway Routing Protocol (EIGRP) 234

Configuration 235Example 2386-4: Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6 239

Configuration 239Example 2426-5: Open Shortest Path First (OSPF) 242

Configuration 243Example 2496-6: Open Shortest Path First (OSPF) Version 3 (IPv6) 250

Configuration 251Example 2526-7: Integrated IS-IS 252

Configuration 253Example 2556-8: Integrated IS-IS for IPv6 257

Configuration 2576-9: Border Gateway Protocol (BGP) 257

Configuration 259Example 2686-10: Multiprotocol Border Gateway Protocol (BGP) for IPv6 270

Configuration 270Example 271

Chapter 7 IP Multicast Routing 275

7-1: Protocol Independent Multicast (PIM) 275

Configuration 277Example 279

7-2: Internet Group Management Protocol (IGMP) 280Configuration 281

Example 2837-3: Multiprotocol BGP (MBGP) 284Configuration 285

Example 2867-4: Multicast Source Discovery Protocol (MSDP) 287Configuration 288

Example 2897-5: IPv6 Multicast 290Configuration 290Example 291

Chapter 8 IP Route Processing 293

8-1: Manually Configuring Routes 293Configuration 294

Example 2958-2: Policy Routing 296Configuration 296Example 2988-3: Redistributing Routing Information 298Configuration 298

Example 3048-4: Filtering Routing Information 305Configuration 306

Example 3088-5: Load Balancing 308Configuration 308Example 309

Part III: Packet Processing

Chapter 9 Quality of Service 311

9-1: Modular QoS Command-Line Interface (MQC) 314Configuration 315

MQC Example 3219-2: Network-Based Application Recognition (NBAR) 322Configuration 323

NBAR Example 3279-3: Policy-Based Routing (PBR) 327Configuration 328

9-4: Quality of Service for VPNs 329

Configuration 329

QoS for VPNs Example 330

9-5: QoS Policy Propagation via BGP 330

Custom Queuing Example 336

9-8: Weighted Fair Queuing (WFQ) 337

Configuration 337

Weighted Fair Queuing Example 339

9-9: Weighted Random Early Detection (WRED) 340

Configuration 340

Weighted Random Early Detection Example 341

9-10: Committed Access Rate (CAR) 342

Configuration 342

Committed Access Rate Example 343

9-11: Generic Traffic Shaping (GTS) 344

Configuration 344

Generic Traffic Shaping Example 345

9-12: Frame Relay Traffic Shaping (FRTS) 345

Configuration 346

Frame Relay Traffic Shaping Example 347

9-13: Use RSVP for QoS Signaling 348

Configuration 348

Using RSVP for QoS Signaling Example 351

9-14: Link Efficiency Mechanisms 351

Configuration 352

Link Efficiency Mechanism Example 353

9-15: AutoQoS for the Enterprise 353

Configuration 354

Example 356

Chapter 10 Multiprotocol Label Switching 359

10-1: Configuring Basic MPLS 359Configuration 360

Example 36210-2: MPLS Traffic Engineering 364Configuration 365

Example 36810-3: MPLS Virtual Private Networks (VPN) 369Configuration 369

Example 371

Part IV: Voice & Telephony

Chapter 11 Voice and Telephony 375

11-1: Quality of Service for Voice 37611-2: Voice Ports 381

Configuration 38211-3: Dialing 395Configuration 39611-4: H.323 Gateways 405Configuration 40611-5: H.323 Gatekeepers 408Configuration 408Example 41411-6: Interactive Voice Response (IVR) 415Configuration 415

11-7: Survivable Remote Site (SRS) Telephony 417Configuration 417

Example 420

Part V: Security

Chapter 12 Router Security 423

12-1: Suggested Ways to Secure a Router 424User Authentication on the Router 424Control Access to the Router Lines 424Configure Login Timing Options 425Use Warning Banners to Inform Users 426Router Management 426

Implement Logging on the Router 427Control Spoofed Information 427Control Unnecessary Router Services 428

12-2: Authentication, Authorization, and Accounting (AAA) 429

Configuration 430Example 43712-3: Dynamically Authenticate and Authorize Users with Authentication

Proxy 438Configuration 439Example 44212-4: Controlling Access with Lock and Key Security 442

Configuration 442Example 44512-5: Filtering IP Sessions with Reflexive Access Lists 446

Configuration 446Example 44812-6: Prevent DoS Attacks with TCP Intercept 448

Configuration 449Example 45112-7: Intelligent Filtering with Context-Based Access Control (CBAC) 451

Configuration 451Example 45612-8: Detect Attacks and Threats with the IOS Intrusion Prevention System 458

Configuration 458Example 47112-9: Control Plane Security 471

Configuration 472Example 47212-10: AutoSecure 473

Configuration 473Example 474

Chapter 13 Virtual Private Networks 475

13-1: Using Internet Key Exchange (IKE) for VPNs 476

Configuration 476Example 48213-2: IPSec VPN Tunnels 483

Configuration 484Example 49013-3: High Availability Features 493

Configuration 494Example 497

13-4: Dynamic Multipoint VPN (DMVPN) 504Configuration 505

Example 51113-5: Secure Socket Layer VPNs 514Configuration 515

Example 517Further Reading 517

Chapter 14 Access Lists and Regular Expressions 519

14-1: IP Access Lists 521Configuration 521Examples 53014-2: MAC Address and Protocol Type Code Access Lists 532Configuration 532

Examples 53314-3: IPv6 Access Lists 533Configuration 534Examples 53814-4: Regular Expressions 539Configuration 539

Examples 540

Appendixes

Appendix A Cisco IOS Software Release and Filename Conventions 543

Appendix B Cabling Quick Reference 551

Appendix C SNMP MIB Structure 557

Appendix D Password Recovery 561

Appendix E Configuration Register Settings 569

Appendix F Well-Known IP Protocol Numbers 577

Appendix G Well-Known IP Port Numbers 587

Appendix H ICMP Type and Code Numbers 601

Appendix I Well-known IP Multicast Addresses 605

Appendix J Tool Command Language (TCL) Reference 619

Appendix K Ethernet Type Codes 623

Index 631

Icons Used in This Book

Throughout this book, you see the following icons used for networking devices:

The following icons are used for peripherals and other devices:

ATMSwitch

ISDN/Frame RelaySwitch

CommunicationServer

Macintosh

Terminal File

Server

WebServer

Cisco WorksWorkstation

Mainframe

Front EndProcessor

ClusterController

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions

used in the IOS Command Reference The Command Reference describes these conventions

as follows:

■ Boldface indicates commands and keywords that are entered literally as shown In

actual configuration examples and output (not general command syntax), boldface

indicates commands that are manually input by the user (such as a show command).

■ Vertical bars (|) separate alternative, mutually exclusive elements

■ Square brackets ([ ]) indicate an optional element

■ Braces ({ }) indicate a required choice

■ Braces within brackets () indicate a required choice within an optional element

Introduction

There are many sources of information and documentation for configuring Cisco networking

devices, but few provide a quick and portable solution for networking professionals This

book is designed to provide a quick-and-easy reference guide for a wide range of commonly

used features that can be configured on Cisco routers In essence, the subject matter from an

entire bookshelf of Cisco IOS Software documentation, along with other networking

refer-ence material, has been “squashed” into one handy volume that you can take with you

This idea for this book began with my study habits for the CCIE written and lab exam Over

time, I found that I had put together a whole notebook of handwritten notes about how to

configure a variety of Cisco router features I also found that I began carrying this notebook

with me into the field as a network consultant When you’re on the job and someone requires

you to configure a feature you’re not too familiar with, it’s nice to have your handy reference

notebook in your bag! Hopefully, this book will be that handy reference for you

Features and Organization

This book is meant to be used as a tool in your day-to-day tasks as a network administrator or

engineer As such, we have avoided presenting a large amount of instructional informa-tion or

theory on the operation of protocols or commands That is better handled in other textbooks

dedicated to a more limited subject matter

Instead, this book is divided into parts that present quick facts, configuration steps, and

explanations of configuration options for each feature in the Cisco IOS Software

How to Use This Book

All the information in this book has been designed to follow a quick-reference format If you

know what feature or technology you want to use, you can turn right to the section that deals

with it Sections are numbered with a quick-reference index, showing both chapter and section

number For example, 13-3 is Chapter 13, Section 3 You'll also find shaded index tabs on each

page, listing the section number, the chapter subject, and the topic dealt with in that section

Facts About a Feature

Each section in a chapter includes a bulleted list of quick facts about the feature, technol-ogy,

or protocol Refer to these lists to quickly learn or review how the feature works Immediately

following, we have placed a note that details what protocol or port number the feature uses If

you are configuring filters or firewalls and you need to know how to al-low or block traffic

from the feature, look for these notes

Configuration Steps

Each feature covered in a section includes the required and optional commands used for

com-mon configuration The difference is that the configuration steps are presented in an outline

format If you follow the outline, you can configure a complex feature or technol-ogy If you

find that you don't need a certain feature option, skip over that level in the out-line

Sample Configurations

Each section includes an example of how to implement the commands and their options We

have tried to present the examples with the commands listed in the order you would actually

enter them to follow the outline Many times, it is more difficult to study and un-derstand a

configuration example from an actual router, because the commands are dis-played in a

prede-fined order, not in the order you entered them Where possible, the ex-amples have also been

trimmed to show only the commands presented in the section

Further Reading

Each chapter ends with a recommended reading list to help you find more in-depth sources of

information for the topics discussed

A router supports user access by command-line interface (CLI), a web browser, or by GUI

device management tools A router also provides a user interface to the ROM monitor

bootstrap code

Users can execute IOS commands from a user level or from a privileged level User level

offers basic system information and remote connectivity commands Privileged level

offers complete access to all router information, configuration editing, and debugging

commands

A router offers many levels of configuration modes, allowing the configuration to be

changed for a variety of router resources

A context-sensitive help system offers command syntax and command choices at any user

Parameters for the CLI connection to the router can be set to preferred values.

Asynchronous ports on a router can be connected to other serial devices You can open

reverse-Telnet connections to the external devices for remote access

Banners can be defined and displayed at various points in the login process

Menus can be defined to give terminal session users easy access to other functions or

remote systems

Role Based Access Control (RBAC) enables you to define the rules for an assigned role that

restricts the authorization that the user has to access for management and configuration

Access to the router can be configured for Secure Shell (SSH) version 1 or version 2

Configuration

1. User interface modes

a. User EXEC mode: Users can connect to a router via the console port, auxiliaryport, Telnet session, SSH session, or the Security Device Manager (SDM) Bydefault, the initial access to a router places the user in user EXEC mode and offers

a limited set of commands When connecting to the router, a user-level passwordmight or might not be required

b. Privileged EXEC mode:

(exec) enable

password: [password]

As soon as a user gains access in user EXEC mode, the enable command can be

used to enter privileged EXEC or enable mode Full access to all commands is

available To leave privileged EXEC mode, use the disable or exit commands.

c. Configuration mode:

(exec) configure terminal

From privileged EXEC mode, configuration mode can be entered Router mands can be given to configure any router feature that is available in the IOS soft-ware image When you are in configuration mode, you are managing the router’sactive memory Anytime you enter a valid command in any configuration modeand press Enter, the memory is immediately changed Configuration mode isorganized in a hierarchical fashion Global configuration mode allows commandsthat affect the router as a whole Interface configuration mode allows commandsthat configure router interfaces There are many other configuration modes thatyou can move into and out of, depending on what is being configured To move

com-from a lower-level configuration mode to a higher level, type exit To leave global

configuration mode and return to privileged EXEC mode, type exit at the global

configuration prompt To leave any configuration mode and return to privileged

EXEC mode, type end or press Ctrl-z.

2. User interface features

a. Entering commands:

(any mode) command

(any mode) no command

Commands can be entered from any mode (EXEC, global, interface, subinterface,

and so on) To enable a feature or parameter, type the command and its options

normally, as in command To disable a command that is in effect, begin the

com-mand with no, followed by the comcom-mand You can see the comcom-mands that are in

effect by using the show running-config command Note that some commands

and parameters are set by default and are not shown as literal command lines in the

configuration listing

Commands and their options can also be abbreviated with as few letters as

possi-ble without becoming ambiguous For example, to enter the interface

configura-tion mode for ethernet 0, the command interface ethernet 0 can be abbreviated as

int e 0.

A command line may be edited using the left and right arrow keys to move within

the line If additional characters are typed, the remainder of the line to the right is

spaced over The Backspace and Delete keys may be used to make corrections

Note If the router displays a console informational or error message while you are typing

a command line, you can press Ctrl-l or Ctrl-r to redisplay the line and continue editing

You can also configure the lines (console, vty, or aux) to use logging synchronous This

causes the router to automatically refresh the lines after the router output If you issue

debug commands with logging synchronous enabled, you might have to wait for the router

to finish the command (such as a ping) before you see the output

b. Context-sensitive help

You can enter a question mark (?) anywhere in a command line to get additional

information from the router If the question mark is typed alone, all available

com-mands for that mode are displayed Question marks can also be typed at any place

after a command, keyword, or option If the question mark follows a space, all

available keywords or options are displayed If the question mark follows another

word without a space, a list of all available commands beginning with that

sub-string is displayed This can be helpful when an abbreviated command is

ambigu-ous and flagged with an error

An abbreviated command may also be typed, followed by pressing the Tab key

The command name is expanded to its full form if it is not ambiguous

If a command line is entered but doesn’t have the correct syntax, the error “%

Invalid input detected at ‘^’ marker” is returned A caret (^) appears below the mand character where the syntax error was detected

com-c. Command history

(Optional) Set the number of commands to save (default 10) To set the history sizefor the current terminal session, enter

(exec) terminal history [size lines]

To set the history size for all sessions on a line, enter

(line) history [size lines]

Recall commands to use again

From any input mode, each press of the up arrow (q) or Ctrl-p recalls the next older command Each press of the down arrow (Q) or Ctrl-n recalls the next most

recent command When commands are recalled from history, they can be edited as

if you just typed them The show history command displays the recorded

com-mand history

Note The up- and down-arrow keys require the use of an ANSI-compatible terminal

emu-lator (such as VT100)

d. Search and filter command output

Sift through output from a show command:

(exec) show command | {begin | include | exclude} reg-expression

A show command can generate a long output listing If the listing contains more

lines than the terminal session can display (set using the length parameter), the output is displayed a screenful at a time with a More prompt at the bottom To

see the next screen, press the spacebar To advance one line, press the Enter key

To exit to the command line, press Ctrl-c, q, or any key other than Enter or the

spacebar

To search for a specific regular expression and start the output listing there, use

the begin keyword This can be useful if your router has many interfaces in its

configuration Rather than using the spacebar to eventually find a certain

configu-ration line, you can use begin to jump right to the desired line To display only the lines that include a regular expression, use the include keyword To display all lines that don’t include a regular expression, use the exclude keyword.

Sift through output from a more command:

(exec) more file-url | {begin | include | exclude} reg-expression

Matches a single character.

* Matches zero or more sequences of the preceding pattern

+ Matches one or more sequences of the preceding pattern

? Matches zero or one occurrence of the preceding pattern

^ Matches at the beginning of the string

$ Matches at the end of the string

_ Matches a comma, braces, parentheses, beginning or end of a string, or a space

[ ] Defines a range of characters as a pattern

( ) Groups characters as a pattern If this is used around a pattern, the patterncan be

recalled later in the expression using a backslash (\) and the patternoccurrence

number

The more command displays the contents of a file on the router A typical use is to

display the startup (more nvram:startup-config) or running (more

system:running-config) configuration file By default, the file is displayed one screen at a time with

a More prompt at the bottom.

To search for a specific regular expression and start the output listing there, use

the begin keyword To display only the lines that include a regular expression, use

the include keyword To display all lines that don’t include a regular expression,

use the exclude keyword.

Search through the output at a More prompt:

( More ) {/ | + | -}regular-expression

At a More prompt, you can search the output by typing a slash (/) followed by

a regular expression To display only lines that include the regular expression,

type a plus (+) To display only lines that don’t include the regular expression,

type a minus (-).

What is a regular expression?

A regular expression can be used to match lines of output Regular expressions

are made up of patterns—either simple text strings (such as ethernet or ospf) or

more-complex matching patterns Typically, regular expressions are regular text

words that offer a hint to a location in the output of a show command.

A more-complex regular expression is made up of patterns and operators Table

1-1 lists the characters that are used as operators

3. Terminal sessions

a. Start a new session:

(exec) telnet host

This initiates a Telnet connection to host (either an IP address or a host name).

Then, from the router CLI, you can continue communicating with the remote host

b. Name a session:

(exec) name-connection

(exec) Connection number: number (exec) Enter logical name: name

An active session can be assigned a text string name to make the session easier to

identify with the show sessions or where command.

c. Suspend a session to do something else

During an active Telnet session to a host, press the escape sequence Ctrl-Shift-6,

x, also written as Ctrl-^, x Ctrl-^ is the IOS escape sequence, and the additional

x tells the router to suspend a session This suspends the Telnet session and returns

you to the local router command-line prompt

Note It is possible to have nested Telnet sessions open For example, from the local

router, you can Telnet to another router A, then Telnet to another router B, and so forth To

suspend one of these sessions, you must also nest your escape sequences Pressing a single

Ctrl-^x suspends the session to router A and returns you to the local router Pressing Ctrl-^

Ctrl-^x suspends the session to router B and returns you to router A’s prompt (Press the x

only at the final escape sequence.)

d. Show all active sessions:

(exec) show sessions

All open sessions from your connection to the local router are listed, along withconnection numbers You can also use the where command to get the same infor-mation

e. Return to a specific session

First, use the show sessions command to get the connection number of the

desired session Then, just type the connection number by itself on the commandline The session is reactivated You can also just press Return or Enter at the com-mand-line prompt, and the last active connection in the list is reactivated The lastactive connection in the list is denoted by an asterisk (*) This makes togglingbetween the local router and a single remote session easier

Note When you resume the connection, you are prompted with the message “[Resuming

connection 2 to Router ]” You must press Enter again to actually resume the connection

f. End an active session:

(remote session) Ctrl-^ x

(exec) disconnect connection-number

As soon as the remote session is suspended, you can use the disconnect command

to end the session and close the Telnet connection Otherwise, your session

remains open until the remote host times out the connection (if at all)

g. Terminal screen format

Set the screen size for the current session only:

(exec) terminal length lines

(exec) terminal width characters

Set the screen size for all sessions:

(line) length lines

(line) width characters

The screen is formatted to characters wide by lines high When the number of

lines of output from a command exceeds lines, the More prompt appears If

you don’t want the output displayed by page with More , use length 0 The

default length for sessions is 24 lines, and the default width for settings is 80

char-acters

h. Allow for temporary locking of your terminal session

(line)lockable

You can prevent access to your session while still keeping the session open by

set-ting a temporary password To enable this feature, first configure the lockable line

configuration command Then, to temporarily lock your session, enter the lock

command in either user or privileged EXEC mode You will be prompted for a

password that you can use later when resuming your session

i. Reverse Telnet connections

Connect an asynchronous serial router line

Any asynchronous line on a router can be used to support remote connections to

external devices (that is, console ports on other Cisco routers or switches) Using

a console “rollover” cable or a high-density access server cable, connect an async

line on the local router to an asynchronous serial port on the external device The

AUX port or any async serial line on a Cisco access server can be used for this

purpose

Enable the Telnet protocol on a line:

(line) transport input telnet (line) no login

(line) no exec

To choose the appropriate line, use either line aux 0 or line number, where

number is the async line number Because this line is used as a transparent

con-nection between the external device and a remote user, no interactive process

should be running on the local router that would interfere Therefore, the no login command should be used to stop any local login prompting process, and no exec

should be used to stop the executive process from interacting with any local acter interpretation from devices attached to the line

char-Set the async serial parameters:

(line) speed baud (line) databits {5 | 6 | 7 | 8}

(line) stopbits {1 | 1.5 | 2}

(line) parity {none | even | odd | space | mark}

The async line should be set to match the characteristics of the remote device

speed sets both receive and transmit baud rates, baud Common values are 300,

1200, 2400, 4800, 9600, 19200, 38400, and 115200 To view the default or

cur-rent line settings, use the show line line command.

Open a reverse Telnet connection to the line:

(exec) telnet ip-address port

From a remote location (or from the local router if desired), open a Telnet session

to the IP address of the local router In addition, a TCP port number must be

given, as port Reverse Telnet connections to async lines use TCP port numbers,

beginning with 2000 You determine the port number by adding the line number(in decimal) to 2000 (also in decimal) For example, line 1 is port 2001, and line 15

is port 2015

Note You will be Telnetting to an active IP address on the router Although this can be

any address on the router, it is a common practice to configure a loopback address on the

router See Chapter 2, “Interface Configuration,” for more information on loopback

address-es

If you have a router with many async lines, it might be difficult to determine the

correct line number for a specific line Use show users all to display all available

lines on the router, including the console, AUX line, and vty or Telnet lines Thephysical line number is displayed in the leftmost column of the output, under the

heading “Line.” Usually, the console is line 0 (but it can’t be used for reverse

Telnet), and the AUX line is line 1, followed by other async lines and/or vty lines

Also, you might sometimes receive a response that the port is unavailable In this

case, either another user has an active Telnet session open on that port, or the

physical line needs to be reset To reset the line, use the clear line line-number

command on the local router

Close the reverse-Telnet session:

(session) Ctrl-^ x

(exec) disconnect session

To suspend the current reverse-Telnet session and return to the local router

prompt, press the escape sequence (the default is Ctrl-^ x or Ctrl-Shift-6 x) To

end the reverse-Telnet session, use the disconnect command along with the

ses-sion number If you forget the sesses-sion number of the reverse-Telnet sesses-sion, use

the show sessions or where command.

j. Send a message to another terminal session:

(exec) send {line-number | * | aux number | console number | tty number |

vty number}

Sometimes it is convenient to send quick messages to users who are Telnetted into

a router For example, you and a colleague might be logged into the same router

but be located in different cities A text message can be sent to either a specific

line number (line-number), all lines (*), the AUX line (aux number), the router

console (console number), a specific tty line (tty number), or a specific vty line

(vty number) To find a user on a specific line, use the show users command The

router prompts for a text message to send After typing the message, end with

Ctrl-z.

k. Configure session timeout values

Define an absolute timeout for a line:

(line) absolute-timeout minutes

All active sessions on the line are terminated after minutes have elapsed (The

default is 0 minutes, or an indefinite session timeout.)

Define an idle timeout for a line:

(line) session-timeout minutes [output]

All active sessions on the line are terminated only if they have been idle for

minutes (The default is 0 minutes, or an indefinite idle timeout.) The output

key-word causes the idle timer to be reset by outbound traffic on the line, keeping the

connection up

Define an idle timeout for all EXEC-mode sessions:

(line) exec-timeout minutes [seconds]

Active EXEC mode sessions are automatically closed after an idle period of

minutes and seconds (the default is 10 minutes) To disable idle EXEC timeouts

on the line, use the no exec-timeout or exec-timeout 0 0 command.

Enable session timeout warnings:

(line) logout-warning [seconds]

Users are warned of an impending logout seconds before it occurs By default, no warning is given If the seconds field is left off, it defaults to 20 seconds.

4. Secure Shell connections

Note Cisco IOS supports only SSH version 1, with User ID and Password authentication

To use SSH, you must have an IPSec encryption software image A DES (56-bit) image

sup-ports only DES encryption, and a 3DES (168-bit) image supsup-ports either DES or 3DES (See

Appendix A, “Cisco IOS Software Releases and Filename Conventions,” for details on

determining what feature sets your software image supports.) SSH uses UDP and TCP port

number 22

a. Configure a host name and a domain name for the router:

(global) hostname hostname

(global) ip domain-name domain

The router must have both a host name and an IP domain name assigned, althoughthe router does not have to be entered in a domain name server The host name anddomain name are used during encryption key computation

b. Generate the RSA key pair for authentication:

(global) crypto key generate rsa

A public and private key pair is generated for authentication to a remote session

This command is executed once at the time it is entered Neither the command northe keys are shown as part of the router configuration, although the keys arestored in a private NVRAM area for security This command prompts for a modu-lus length (360 to 2048 bits; the default is 512) The higher the modulus, the betterthe encryption and the longer the computation time Cisco recommends a mini-

mum modulus of 1024 bits You can view your public key by executing the show cry key mypubkey rsa privileged EXEC command You can delete the RSA key pair with the crypto key zeroize rsa privileged EXEC command.

The aaa new-model command causes the local username and pasword to be used

on the router in the absence of other AAA statements Alternatively, you can use

the login local line command to accomplish the same task.

AAA user authentication:

Users can be authenticated by a remote AAA server For more information on

con-figuring an AAA server, see Section 12-2

d. Configure user authentication

Local user authentication:

(global) username username password password

Users can be authenticated locally on the router, provided that both a username

and password are configured The password is entered as a cleartext string

con-taining up to 80 alphanumeric characters, including embedded spaces Passwords

are case-sensitive

e. Configure SSH parameters:

(global) ip ssh {[timeout seconds] | [authentication-retries retries]}

The timeout keyword defines the maximum time for SSH negotiation with the

remote device (the default is 120 seconds) The number of authentication retries

can be defined with the authentication-retries keyword (the maximum is 5 retries;

the default is 3)

f. Enable the SSH protocol on a line:

(line)#transport input ssh

By default, all input protocols are allowed on lines Enter the no transport input

all command to disable all inbound connections on a line Then enter the

transport input ssh command to allow only inbound SSH connections on a line.

g. Configure the SSH version:

(config)#ip ssh version [1 | 2]

Starting with IOS 12.1(19)E, you can use SSH version 2 To support both versions 1

and 2, enter the no ip ssh version global configuration command This IOS version

also introduced the capability to display a login banner prior to connecting to a

router unless the router is configured to use only SSH version 1

h. Telnet to the router from an SSH-capable device

All inbound SSH sessions to the router are opened to the VTY (Telnet) lines Thenumber of concurrent Telnet sessions (both non-SSH and SSH) is limited by thenumber of VTY lines that are configured

i. (Optional) Open an outbound SSH session from the router:

(exec) ssh [-v 2][-l userid] [-c {des | 3des | aes192-cbc | aes256-cbc}]

[-m hmac-md5

| hmac-md5-96 | hmac –sha1 | hmac-sha1-96 ][-o numberofpasswdprompts

prompts] [-p port] {ip-address | hostname} [command]

An SSH session is opened to the host given by ip-address or hostname Starting

with IOS 12.1(19)E, you can specify SSH 2 with the –v 2 keyword By default, the

current username on the local router is used for authentication on the remote

device This can be overridden by the -l userid keyword The type of encryption

is specified as either DES, 3DES, AES192-cbc, or AES256-cbc using the -c word The –m keyword sets the hashing algorithm used for authentication if con-

key-figured on the SSH router The number of prompts for a password can be set by

the -o numberofpasswdprompts keyword (1 to 5; the default is 3.) The port

number used for the SSH session can be set using the -p port keyword (The

default is 22.) The command field specifies the command to be run on the remote

device, assuming that the authenticated user has access to that command Ifembedded spaces are needed, enclose the command string in double quotationmarks

5. Configuring access to the router

a. (Optional) Set up authentication for users

Define a username and password:

(global) username name {password password | password encrypt-type

encrypted-password}

Enable authentication for a specific username name The password keyword candefine a text string password to be used at login time An encrypted passwordfrom a previous router configuration can be copied and pasted into this commandusing the encrypt-type encrypted-password fields An encrypt-type of 0 meansthat the password is unencrypted and is in clear text, and 7 means that the pass-word is already encrypted

Define a username to run a command automatically:

(global) username name nopassword autocommand command

The username name is defined as a login name When it is used, no password is required, and the router command command is run automatically Afterward, the

user is logged out and disconnected

Alter a user’s access privileges:

(global) username name [access-class acc-list] [noescape] [nohangup]

[privilege level]

The access-class keyword specifies an access list for the username that overrides

one used in a line’s access-class command The noescape keyword prevents the

user from using the escape sequence to suspend the session The nohangup

key-word returns the user to EXEC mode after an automatic command completes A

user’s default privilege level (1) can be set using the privilege keyword.

b. Configure login authentication

First, you must choose a line for incoming users

For an asynchronous port (line), enter the following command:

(global) line {console 0 | aux 0 | number}

Asynchronous ports are called lines in the router configuration Lines are

identi-fied by number If you aren’t sure of the line number on an async port, use the

show users all command to display all lines and their numbers You can configure

the following lines: console port (line console 0), auxiliary port (line aux 0), and

async lines on an access server (line number).

For a virtual terminal line (vty) for Telnet access, enter the following command:

(global) line vty first [last]

vty ports are also called lines in the router configuration Several vty lines can be

configured so that more than one Telnet session can be active to the router A range

of vty lines can be configured at one time by using both first and last vty numbers.

Note VTY lines require a password to be configured before user access is enabled

Otherwise, the router closes any incoming Telnet sessions immediately

To enable login authentication without a username, enter the following command

sequence:

(line) login

(line) password password

Users are prompted for a password on the specified line The password text string

can be up to 80 alphanumeric characters with embedded spaces The first

charac-ter cannot be a number

To enable login authentication with a router-defined username, enter the followingcommand:

(line) login local

Individual usernames must first be configured as shown in Step 5a The routerthen authenticates users on the specified line against the locally defined user-names and passwords

To enable logins with TACACS authentication, enter the following command:

(line) login tacacs

The router authenticates users by interacting with a standard or extended TACACS(not TACACS+) server

To enable logins with AAA/TACACS+, enter the following command:

(line) login authentication

The router authenticates users by interacting with an external AAA server Refer

to Section 13-2 for more information on configuring AAA features

c. Privileged mode (enable mode):

(global) enable secret enable-password

To access privileged mode, you must enter the enable password This password

can be set to enable-password The password is encrypted using a strong

nonre-versible encryption algorithm and is then stored in a special secure location inNVRAM The password must have 1 to 25 alphanumeric characters The first char-acter cannot be a number, and embedded spaces are accepted

The enable password can also be set using the enable password command Cisco recommends using the enable secret command instead, because the password has

a stronger encryption and is not stored in the router configuration

The enable secret [level level] enable-password command can be used to set the

password required for entering the privilege level specified Levels range from 0 to

15, where 1 is the normal EXEC level and 15 is enable mode

Note An enable or enable secret password is not required for the router If you don’t have

one configured, you are not prompted for the password when you issue the enable

com-mand from the console If you do not have an enable or enable secret password, however,

you can’t access privileged EXEC mode from any Telnet or other line into the router

Access to specific IOS commands can be granted to privilege levels so that youcan create user communities with varying capabilities For example, you might

want to allow a group of users to access the show cdp neighbors command

out being in enable mode at level 15 Use the following command to allow a

privi-lege level to run a command:

(global) privilege mode [level level command | reset command]

Here, mode is the basic mode of the user-level interface There are many modes to

choose from, but the most common ones are configure (global configuration

mode) and exec (EXEC mode) The desired privilege level is given as level and the

IOS command as command The reset keyword can be used to reset the

com-mand’s privilege level to the default

d. Encrypt passwords displayed in the router configuration:

(global) service password-encryption

By default, passwords on lines and usernames, as well as the enable password, are

displayed as clear text (not encrypted) in the router configuration This command

can be used to cause the passwords to be displayed in a basic encrypted form

(The passwords themselves are not stored encrypted; rather, they are only

dis-played encrypted with commands such as show running-config.)

6. (Optional) Configure system banners:

(global) banner {motd | login | exec | incoming} delimiter

(global) text

(global) delimiter

The message-of-the-day banner is defined with the motd keyword It displays before

the router login prompt when connecting via Telnet and after a user logs into the

router when connecting via SSH The login banner, defined with the login keyword,

displays after the message of the day and just before the login prompt The login

ban-ner does not display when a router is configured to use only SSHv1 The exec banban-ner,

defined with the exec keyword, displays just after a user logs into the router The

reverse-Telnet banner, defined with the incoming keyword, displays after the

mes-sage-of-the-day banner when a user connects to the router using reverse Telnet

The banner text can be one or more lines It is bounded by the delimiter character

Choose an uncommon character as the delimiter (such as ~ or %) The

message-of-the-day banner is useful when important network news or an access policy or legal

warn-ings must be presented to potential users The remaining banners can relay specific

information about the system, such as the name, location, or access parameters

The following built-in tokens can be used to include other configured information in

a banner:

$(hostname)—The host name of the router (from hostname)

$(domain)—The domain name of the router (from ip domain-name)

$(line)—The line number of the async or vty line

$(line-desc)—The line description (from the description command on the async

interface associated with the line)

$(peer-ip)—The IP address of the peer machine

$(gate-ip)—The IP address of the gateway machine

$(encap)—The encapsulation type (SLIP or PPP)

$(encap-alt)—Displays the encapsulation type as SL/IP instead of SLIP

$(mtu)— The maximum transmission unit size

7. (Optional) Configure session menus

a. (Optional) Configure a title message:

(global) menu name title delimiter

(global) text

(global) delimiter

A title or banner can be defined and displayed prior to menu options The title can

be used to display a welcome message and instructions on making menu choices

All commands pertaining to a menu must be linked to the menu name Title textcan be one or more lines, bounded by the delimiter character To clear the screen

prior to the menu title, use the menu name clear-screen command.

c. Configure menu items

Next, you configure your menu items You can have up to 18 menu items To ate them, repeat Steps d through f that follow for each item

cre-d. Define an item title:

(global) menu name text item text

Each item in the menu named name has a key that the user must press to select the item This is defined as item It can be a character, number, or word The item key

is displayed to the left of the item text in the menu

e. Define an item command:

(global) menu name command item command

When a menu item is selected by the item key, the command string is executed.

For example, the command could open a Telnet session to a remote system A

command can also be defined as a “hidden” command such that no item text is

dis-played for the user to see To do this, configure the menu command but don’t

con-figure the companion menu text

Menus can also be nested so that a menu selection can invoke an entirely different

menu of choices To do this, use the keyword menu as the command string (such

as menu name command item menu name2) Then define the new nested menu

with the menu text and menu command lines.

Note You can also define a menu item that allows the user to return to a command

prompt or a higher-level menu and end the current menu Define a menu item with

menu-exit as the command (that is, menu name command item menu-menu-exit).

f. Define a default menu item:

(global) menu name default item

If the user presses the Enter key without specifying an item, the item is selectedby

default

g. Execute a menu

Execute from the command line:

(exec) menu name

The menu called name is executed at the command-line prompt In this case,

remember to include a menu item that allows the menu to terminate (menu name

command item menu-exit) Otherwise, you will be caught in an endless loop of

menu choices

Execute automatically on a line:

(line) autocommand menu name

The menu name is executed automatically as soon as a user accesses the line with

a terminal session In this case, it would be wise to keep the user in a menu loop so

that he or she won’t end up in an unknown or potentially dangerous state, such as

the command-line prompt

Execute automatically for a user:

(global) username user autocommand menu name

The menu name is executed automatically as soon as the user named user

success-fully logs into the router